Notes on Scrambling for Safety 2016 – Session 1
7 January 2016
Once again we have to thank her majesty’s government for an opportunity to get together and discuss encryption and surveillance policy. Here are my notes from the first section. Since they are in real-time they are not a very faithful record, and probably mistakes are due to me rather than the speakers…
Lord Strasberger opens the event by declaring himself a “Scrambling for Safety virgin”. Interestingly, he mentions the bill is good, in so far as it clarifies what powers exist and are used, however it still needs more work. A number of other MPs are apparently in the room, according to Julian Huppert, and the main event can commence.
The first panel starts with David Omand, who Ross Anderson kindly named as the unofficial government spokesperson. He interestingly starts off by mentioning the Snowden revelations, which to many came as a surprise and a shock in 2013. However, he then mentions Charlie Hebdo, Paris Attacks and Tunisian massacres and immigration in 2015, made the “pendulum swing” towards a demand for intelligence. So he expects 2016 to be a year of reconciliation, in which a new social compact around surveillance is reached. That, he considers, is the challenge of the bill. It is also the first time that all intelligence powers will be fully under the rule of law — and mentions a long history of operations to protect the state that were not in fact part of the parliamentary process. This was a regime of “hidden guardians” — that were operating outside the statute of the law, that turned into a regime of executive oversight, and then in the 1980s the ECHR forced the government to legislate some aspects of intelligence. With the Snowden revelations it became necessary to bring more clarity, beyond compliance and reliance on obscure provision. So now we have the opportunity to open a new phase in which parliament openly authorizes all the practices. That would be a 500 year first, an international first, and an opportunity.
Richard Clayton will be talking about Internet Connection Records, and he points out the bill is extremely unclear about this matter. He mentions that ISPs know “who did what”, and with previous bills the government mandated the retention of some of that data. This was due to some slowness of the police to request the records, as well as the need to investigate some past crimes. The implementation, however, was faulty since the retained records did not allow for reliable traceability, as in the case of NATs. At some point European courts found that retention was not proportionate, and the UK government rushed to make new registration to legitimize the retention capability. So this new bill is the third attempt, in which the government can run in effect “intersection attacks” to help trace under dynamic environment. However, this power to retain ICRs, is not adequately future proof, but it is also wide since more complex patterns can be accessed, such as what else a person has been accessing, and more complex queries. This opens the door for full social network analysis using traffic records. Who keeps that data is not an issue: the key issue is what capabilities are there, and who can use them, and what approval is needed. This can be done directly, or through a “Filter”. Sadly, currently the only authorization necessary is the signature of a senior officer.
Gail Kent is next, who used to work for the National Crime Agency and now is with Facebook. She is happy that we debate, in the UK, issues of surveillance policy. She points out that this is a UK bill that will affect a technology and public policy debate world-wide. So if the UK gets this bill right others will follow. But, what will happen if the bill is not compatible with other legislations and second what it provides a bad example? On the first issue: this bill obligates providers to do things that are illegal elsewhere — this creates in some places a compliance challenge. Instead, there is a need for a consistent treatment, and clarity. The second issue is what example this bill sets internationally: and UK legislation does act as an example. So if the IP Bill does not do a good job at protecting liberty and privacy, then others will copy and it will have an effect worldwide. If these issues are not dealt with, then bills such as this one, may undermine the confidence users have in the Internet and the service providers.
Shami Chakrabarti, from Libery is next. First she reacts to David’s position: she is happy about his tone, but points out that Human Rights protect everything about being a human being both security and privacy — thus they are not opposed in any way to each other. Thus the concerns about Snowden revelations and then the worries about security cannot be described as a pendulum — people want and need both security and human rights, and considering these as a “pendulum” does not reflect this. She mentions that just because some things were done outside the law and now they are within it, it does not mean that the balance is right when it comes to surveillance policy. She welcomes the openness, but there is still a need to ensure proportionality when it comes to surveillance. And proportionality have usually been about a targeted approach to surveillance, rather than the broad powers that are in this bill. She points out that there has not been a case to go beyond such a targeted approach, and the fact that it was done before is a weak argument to allow it. A real-world parallel for some of the blanket powers would be an obligation to record using CCTV within private dwellings and offices. Such “bulk” powers are a major step in a democracy, with serious consequences. And the reason is not a belief that the state is wicked, but more about basic cyber security: there are provisions in the bill that attack the integrity of systems, and would allow terrorists and fraudsters to attack our systems. We have the right to protect ourselves not only the state but also the enemies of the state, and this bill does not allow us to do this. To conclude, proportionality requires a targeted approach, and Binney in his testimony presents such an approach. if we can target people and groups, that is more in line with democratic tradition.
Ross Anderson goes last. He mentions that when powers to build large databases were needed proposed, home secretaries told parliement that they need powers to build them. However, after Snowden and subsequently we were told that they agencies went ahead and built them. The UK reaction has been different from the US. In the US the agencies made changes following the Snowden revelations. So it seems odd that in the UK just want to legalize everything wholesale, despite previous parliamentary objections. What we need is an international convention for cyber evidence: we need judicial warrants — since US courts cannot accept non-judicial warrants; respect for jurisdiction; finally, we need transparency: when in court, or after a case is closed, people need to be told they were under surveillance.